From patchwork Thu Sep  6 12:35:26 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sven Eckelmann <sven@narfation.org>
X-Patchwork-Id: 17469
X-Patchwork-Delegate: sw@simonwunderlich.de
Return-Path: <b.a.t.m.a.n-bounces@lists.open-mesh.org>
X-Original-To: patchwork@open-mesh.org
Delivered-To: patchwork@open-mesh.org
Received: from open-mesh.org (localhost [IPv6:::1])
	by open-mesh.org (Postfix) with ESMTP id C057382F45;
	Thu,  6 Sep 2018 14:35:42 +0200 (CEST)
Authentication-Results: open-mesh.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=narfation.org header.i=@narfation.org
	header.b="zCIVRRj3"; dkim-atps=neutral
Received-SPF: Pass (mailfrom) identity=mailfrom;
	client-ip=2001:4d88:2000:7::2;
	helo=v3-1039.vlinux.de; envelope-from=sven@narfation.org;
	receiver=<UNKNOWN>
Received: from v3-1039.vlinux.de (narfation.org [IPv6:2001:4d88:2000:7::2])
	by open-mesh.org (Postfix) with ESMTPS id A532882F43
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Thu,  6 Sep 2018 14:35:39 +0200 (CEST)
Received: from sven-desktop.home.narfation.org
	(p200300C593D79FFA9732AEE00057D068.dip0.t-ipconnect.de
	[IPv6:2003:c5:93d7:9ffa:9732:aee0:57:d068])
	by v3-1039.vlinux.de (Postfix) with ESMTPSA id 1BC681100E1;
	Thu,  6 Sep 2018 14:35:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=narfation.org;
	s=20121; t=1536237339;
	bh=jth3JGQSwEeN0o3l2tOPLbhKIcwYnKTEfDiYF9FmoXs=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=zCIVRRj3Q6n3PNHIkOZ3FMWWiKZHB0+xgDL5L6BvsKvYhy4fl3e7GhjSQNZ7nwUlN
	eMRv0K0gWks5QesAOPiDQyhNgjmT7E2Ww8HwbP3nOEXEC0odiwttMhT0WL2wUWxMxB
	guK9CPiu2G3mMoetZgrxPk3ChMDy7ZgMGc0Ybacs=
From: Sven Eckelmann <sven@narfation.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Date: Thu,  6 Sep 2018 14:35:26 +0200
Message-Id: <20180906123528.30490-4-sven@narfation.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20180906123528.30490-1-sven@narfation.org>
References: <20180906123528.30490-1-sven@narfation.org>
Subject: [B.A.T.M.A.N.] [PATCH v2 3/5] batman-adv: Prevent duplicated
	softif_vlan entry
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n/>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n@lists.open-mesh.org>
Errors-To: b.a.t.m.a.n-bounces@lists.open-mesh.org
Sender: "B.A.T.M.A.N" <b.a.t.m.a.n-bounces@lists.open-mesh.org>

The function batadv_softif_vlan_get is responsible for adding new
softif_vlan to the softif_vlan_list. It first checks whether the entry
already is in the list or not. If it is, then the creation of a new entry
is aborted.

But the lock for the list is only held when the list is really modified.
This could lead to duplicated entries because another context could create
an entry with the same key between the check and the list manipulation.

The check and the manipulation of the list must therefore be in the same
locked code section.

Fixes: 952cebb57518 ("batman-adv: add per VLAN interface attribute framework")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
v2:
* changed batadv_softif_create_vlan to handle problems in
  batadv_sysfs_add_vlan as fatal error

 net/batman-adv/soft-interface.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 1485263a..626ddca3 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -574,15 +574,20 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
 	struct batadv_softif_vlan *vlan;
 	int err;
 
+	spin_lock_bh(&bat_priv->softif_vlan_list_lock);
+
 	vlan = batadv_softif_vlan_get(bat_priv, vid);
 	if (vlan) {
 		batadv_softif_vlan_put(vlan);
+		spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
 		return -EEXIST;
 	}
 
 	vlan = kzalloc(sizeof(*vlan), GFP_ATOMIC);
-	if (!vlan)
+	if (!vlan) {
+		spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
 		return -ENOMEM;
+	}
 
 	vlan->bat_priv = bat_priv;
 	vlan->vid = vid;
@@ -590,17 +595,23 @@ int batadv_softif_create_vlan(struct batadv_priv *bat_priv, unsigned short vid)
 
 	atomic_set(&vlan->ap_isolation, 0);
 
+	kref_get(&vlan->refcount);
+	hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
+	spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
+
+	/* batadv_sysfs_add_vlan cannot be in the spinlock section due to the
+	 * sleeping behavior of the sysfs functions and the fs_reclaim lock
+	 */
 	err = batadv_sysfs_add_vlan(bat_priv->soft_iface, vlan);
 	if (err) {
-		kfree(vlan);
+		/* ref for the function */
+		batadv_softif_vlan_put(vlan);
+
+		/* ref for the list */
+		batadv_softif_vlan_put(vlan);
 		return err;
 	}
 
-	spin_lock_bh(&bat_priv->softif_vlan_list_lock);
-	kref_get(&vlan->refcount);
-	hlist_add_head_rcu(&vlan->list, &bat_priv->softif_vlan_list);
-	spin_unlock_bh(&bat_priv->softif_vlan_list_lock);
-
 	/* add a new TT local entry. This one will be marked with the NOPURGE
 	 * flag
 	 */